Click here to Skip to main content
15,358,583 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
C#
private void button1_Click(object sender, EventArgs e)
        {

            if (txtuser.Text == "" && txtpass.Text == "")
            {
                MessageBox.Show("USERNAME and PASSWORD cannot be blank");
                txtuser.Focus();
            }
            else
            {
                SqlConnection cn = new SqlConnection("Data Source=XYZ;Initial Catalog=CRMS;Integrated Security=True");

                cn.Open();
                SqlCommand cmd = new SqlCommand("select * from login where username = '" + txtuser.Text + "' and password = '" + txtpass.Text + "'", cn);
                SqlDataReader dr;
                dr = cmd.ExecuteReader();


                int count = 0;
                while (dr.Read())
                {
                    count += 1;
                }

                if (count == 1)
                {
                    MessageBox.Show("WELCOME!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Information);
                   
                    Home h = new Home();
                    h.Show();
                    this.Hide();


                }
                else if (count >= 0)
                {
                    MessageBox.Show("Wrong Username or Password", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);
                }

                cn.Close();

                txtuser.Clear();
                txtpass.Clear();
            }
        }


What I have tried:

The above code is working and no problem at all. What I need is to restrict user after 3 unsuccessful attempts and the application will exit. I really don't know where to implement that. Anyone can help please I badly need that.
Thank you in advance!
Posted
Updated 6-Apr-17 14:34pm
v2
Comments
PIEBALDconsult 6-Apr-17 20:07pm
   
Please use parameterized statements; do not use string concatenation to insert values into a command.
And please do not put data access code directly in your UI code.
Dave Kreskowiak 6-Apr-17 20:21pm
   
What if the user enters a password but not a username? Your IF statement doesn't account for that situation, nor the opposite.
Richard Deeming 7-Apr-17 9:56am
   
And you're storing passwords in plain text. You should only ever store a salted hash of the user's password.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Hi,

Following is a modified version of your code to suit your needs:

1) Move the counter to a global level of the form.
2) You can use 'HasRows' of the data reader to see if a match was found.
C#
// Move the counter at a global level for the form.
int count = 1;
private void button1_Click(object sender, EventArgs e)
{

    if (txtuser.Text == "" && txtpass.Text == "")
    {
        MessageBox.Show("USERNAME and PASSWORD cannot be blank");
        txtuser.Focus();
    }

    else
    {
        SqlConnection cn = new SqlConnection("Data Source=LAPTOP-SO38VH6F;Initial Catalog=CRMS;Integrated Security=True");
        cn.Open();

        SqlCommand cmd = new SqlCommand("select * from login where username = '" + txtuser.Text + "' and password = '" + txtpass.Text + "'", cn);
        SqlDataReader dr;
        dr = cmd.ExecuteReader();
                
        if (dr.HasRows) // HasRows = true would imply the loging was found.
        {
            MessageBox.Show("WELCOME!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Information);

            cn.Close(); // Close connection
            Home h = new Home();
            h.Show();
            this.Hide();
        }
        else
        {
            if (count++ >= 3)
            {
                MessageBox.Show("Failed in 3 login attempts. Assuming unauthorized access. Terminating!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);
                Application.Exit();
            }

            // This is the ELSE part - not terminating yet, but offering 3 attempts.
            MessageBox.Show("Wrong Username or Password", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);

            cn.Close(); // Close connection
            txtuser.Clear();
            txtpass.Clear();
        }
    }
}
Some suggestions on improving the code:

1) Wrap in TRY-CATCH.
2) It looks like you are storing the password as is in database. Please use encryption to store and retrieve.
3) Mind Sql Injections. Better pass the username and password to a SQL stored procedure or function that will return YES/NO.
   
Comments
Member 13111663 6-Apr-17 20:44pm
   
Your code is correct thank you so much! it worked to me thank you bro!
Mehedi Shams 6-Apr-17 20:58pm
   
Thanks, glad it helped :)!
Nirav Prabtani 7-Apr-17 1:49am
   
+5 for your efforts.

Just make sure users will not going to do their homework by ourself.
Mehedi Shams 7-Apr-17 1:52am
   
Thanks Nirav, I shall keep that in mind.
Richard Deeming 7-Apr-17 9:57am
   
"Better pass the username and password to a SQL stored procedure or function that will return YES/NO."

Using a stored procedure or function won't protect against SQL Injection. You have to use parameterized queries instead.
Mehedi Shams 7-Apr-17 20:43pm
   
Thanks Richard for correction, this is right.
Richard Deeming 7-Apr-17 9:59am
   
"Please use encryption to store and retrieve."

No - only ever store a cryptographic hash of the salted password, using a unique hash for each record.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

"Encryption" is typically used to mean "reversible encryption", which is almost as bad as plain text. :)
Mehedi Shams 7-Apr-17 20:45pm
   
Thanks Richard, this is also good suggestion. Thanks for the links.
This article describe the same question.

Three times wrong login credentials then login form will exit[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900